From 8f53acf0661371fc72889521f2e12a20a3541ab4 Mon Sep 17 00:00:00 2001 From: changtao Date: Fri, 11 Oct 2024 01:10:34 +0800 Subject: [PATCH] fix-CVE-2024-6762 --- 0001-fix-CVE-2024-6762.patch | 24 +++++++++++++++++++++++ 0002-fix-CVE-2024-6762.patch | 38 ++++++++++++++++++++++++++++++++++++ jetty.spec | 7 ++++++- 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 0001-fix-CVE-2024-6762.patch create mode 100644 0002-fix-CVE-2024-6762.patch diff --git a/0001-fix-CVE-2024-6762.patch b/0001-fix-CVE-2024-6762.patch new file mode 100644 index 0000000..f0e86e7 --- /dev/null +++ b/0001-fix-CVE-2024-6762.patch @@ -0,0 +1,24 @@ +From c9fb33ab85959921ff3183311587af02772dda89 Mon Sep 17 00:00:00 2001 +From: Lachlan Roberts +Date: Fri, 11 Oct 2024 00:40:06 +0800 +Subject: [PATCH] fix CVE-2024-6762 + +--- + .../java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +index 8e73a17..32df129 100644 +--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java ++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +@@ -42,6 +42,7 @@ import org.eclipse.jetty.server.Response; + import org.eclipse.jetty.util.log.Log; + import org.eclipse.jetty.util.log.Logger; + ++@Deprecated + public class PushSessionCacheFilter implements Filter + { + private static final String TARGET_ATTR = "PushCacheFilter.target"; +-- +2.43.0 + diff --git a/0002-fix-CVE-2024-6762.patch b/0002-fix-CVE-2024-6762.patch new file mode 100644 index 0000000..bf81fc6 --- /dev/null +++ b/0002-fix-CVE-2024-6762.patch @@ -0,0 +1,38 @@ +From 2588cedddca989b6b96e6954ae6e8fc8f3e1c487 Mon Sep 17 00:00:00 2001 +From: Lachlan Roberts +Date: Fri, 11 Oct 2024 00:57:36 +0800 +Subject: [PATCH] fix-CVE-2024-6762 + +--- + .../eclipse/jetty/servlets/PushSessionCacheFilter.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +index 32df129..f539fae 100644 +--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java ++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +@@ -42,6 +42,9 @@ import org.eclipse.jetty.server.Response; + import org.eclipse.jetty.util.log.Log; + import org.eclipse.jetty.util.log.Logger; + ++/** ++ * @deprecated no replacement for this deprecated http feature ++ */ + @Deprecated + public class PushSessionCacheFilter implements Filter + { +@@ -51,6 +54,11 @@ public class PushSessionCacheFilter implements Filter + private final ConcurrentMap _cache = new ConcurrentHashMap<>(); + private long _associateDelay = 5000L; + ++ public PushSessionCacheFilter() ++ { ++ LOG.warn(PushSessionCacheFilter.class.getSimpleName() + " is an example class not suitable for production."); ++ } ++ + @Override + public void init(FilterConfig config) throws ServletException + { +-- +2.43.0 + diff --git a/jetty.spec b/jetty.spec index 76e671c..6b1f676 100644 --- a/jetty.spec +++ b/jetty.spec @@ -12,7 +12,7 @@ %bcond_with jp_minimal Name: jetty Version: 9.4.16 -Release: 6 +Release: 7 Summary: Java Webserver and Servlet Container License: Apache-2.0 OR EPL-1.0 URL: http://www.eclipse.org/jetty/ @@ -28,6 +28,8 @@ Patch3: CVE-2021-28169.patch Patch4: CVE-2021-34428.patch Patch5: CVE-2022-2047.patch Patch6: CVE-2022-2048.patch +Patch7: 0001-fix-CVE-2024-6762.patch +Patch8: 0002-fix-CVE-2024-6762.patch BuildRequires: maven-local mvn(javax.servlet:javax.servlet-api) < 4.0.0 BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) @@ -796,6 +798,9 @@ exit 0 %license LICENSE NOTICE.txt LICENSE-MIT %changelog +* Tue Oct 18 2024 changtao - 9.4.16-7 +- fix-CVE-2024-6762.patch + * Thu Jul 18 2024 yaoxin - 9.4.16-6 - License compliance rectification -- Gitee